Contents

Summary

Sub-menu:/ip firewall mangle

Mangle is a kind of 'marker' that marks packets for future processing with special marks. Many other facilities in RouterOS make use of these marks, e.g. queue trees, NAT, routing. They identify a packet based on its mark and process it accordingly. The mangle marks exist only within the router, they are not transmitted across the network.

Additionally, the mangle facility is used to modify some fields in the IP header, like TOS (DSCP) and TTL fields.

Properties

Property

Description

action (action name; Default: accept)

Action to take if packet is matched by the rule:

accept - accept the packet. Packet is not passed to next firewall rule.

change-mss - change Maximum Segment Size field value of the packet to a value specified by the new-mss parameter

change-ttl - change Time to Live field value of the packet to a value specified by the new-ttl parameter

clear-df - clear 'Do Not Fragment' Flag

jump - jump to the user defined chain specified by the value of jump-target parameter

log - add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet. After packet is matched it is passed to next rule in the list, similar as passthrough

mark-connection - place a mark specified by the new-connection-mark parameter on the entire connection that matches the rule

mark-packet - place a mark specified by the new-packet-mark parameter on a packet that matches the rule

mark-routing - place a mark specified by the new-routing-mark parameter on a packet. This kind of marks is used for policy routing purposes only

passthrough - if packet is matched by the rule, increase counter and go to next rule (useful for statistics).

return - pass control back to the chain from where the jump took place

Name of the address list to be used. Applicable if action is add-dst-to-address-list or add-src-to-address-list

address-list-timeout (time; Default: 00:00:00)

Time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to-address-list actions
Value of 00:00:00 will leave the address in the address list forever

chain (name; Default: )

Specifies to which chain the rule will be added. If the input does not match the name of an already defined chain, a new chain will be created.

comment (string; Default: )

Descriptive comment for the rule.

connection-bytes (integer-integer; Default: )

Matches packets only if a given amount of bytes has been transfered through the particular connection. 0 - means infinity, for example connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection

Can match connections that are srcnatted, dstnatted or both. Note that connection-state=related connections connection-nat-state is determined by direction of the first packet. and if connection tracking needs to use dst-nat to deliver this connection to same hosts as main connection it will be in connection-nat-state=dstnat even if there are no dst-nat rules at all.

connection-rate (Integer 0..4294967295; Default: )

Connection Rate is a firewall matcher that allows the capture of traffic based on the present speed of the connection. Read more >>

connection-state (estabilished | invalid | new | related; Default: )

Interprets the connection tracking analysis data for a particular packet:

established - a packet which belongs to an existing connection

invalid - a packet that does not have determined state in connection tracking (ussualy - sevear out-of-order packets, packets with wrong sequence/ack number, or in case of resource overusage on router), for this reason invalid packet will not participate in NAT (as only connection-state=new packets do), and will still contain original source IP address when routed. We strongly suggest to drop all connection-state=invalid packets in firewall filter forward and input chains

new - the packet has started a new connection, or otherwise
associated with a connection which has not seen packets in both directions

related - a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection

Matches packets until a given pps limit is exceeded. As opposed to the limit matcher, every destination IP address / destination port has it's own limit. Parameters are written in following format: count[/time],burst,mode[/expire].

count - maximum average packet rate measured in packets per time interval

time - specifies the time interval in which the packet rate is measured (optional)

Actual interface the packet has entered the router, if incoming interface is bridge

in-interface (name; Default: )

Interface the packet has entered the router

ingress-priority (integer: 0..63; Default: )

Matches ingress priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. Read more >>

ipsec-policy (in | out, ipsec | none; Default: )

Matches the policy used by IpSec. Value is written in following format: direction, policy. Direction is Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation.

List of source ports and ranges of source ports. Applicable only if protocol is TCP or UDP.

src-mac-address (MAC address; Default: )

Matches source MAC address of the packet

tcp-flags (ack | cwr | ece | fin | psh | rst | syn | urg; Default: )

Matches specified TCP flags

ack - acknowledging data

cwr - congestion window reduced

ece - ECN-echo flag (explicit congestion notification)

fin - close connection

psh - push function

rst - drop connection

syn - new connection

urg - urgent data

tcp-mss (integer: 0..65535; Default: )

Matches TCP MSS value of an IP packet

time (time-time,sat | fri | thu | wed | tue | mon | sun; Default: )

Allows creation of a filter based on the packets' arrival time and date or, for locally generated packets, departure time and date

tls-host (string; Default: )

Allows to match traffic based on TLS hostname. Accepts GLOB syntax for wildcard matching. Note that matcher will not be able to match hostname if TLS handshake frame is fragmented into multiple TCP segments (packets).

Menu specific commands

Basic examples

Change MSS

It is a well known fact that VPN links have smaller packet size due to encapsulation overhead. A large packet with MSS that exceeds the MSS of the VPN link should be fragmented prior to sending it via that kind of connection. However, if the packet has DF flag set, it cannot be fragmented and should be discarded. On links that have broken path MTU discovery (PMTUD) it may lead to a number of problems, including problems with FTP and HTTP data transfer and e-mail services.

In case of link with broken PMTUD, a decrease of the MSS of the packets coming through the VPN link solves the problem. The following example demonstrates how to decrease the MSS value via mangle:

Setup looks quite simple and probably will work without problems in small networks. Now multiply count of rules by 10, add few hundred entries in address list, run 100Mbit of traffic over this router and you will see how rapidly CPU usage is increasing. The reason for such behavior is that each rule reads IP header of every packet and tries to match collected data against parameters specified in firewall rule.

Fortunately if connection tracking is enabled, we can use connection marks to optimize our setup.

Now first rule will try to match data from IP header only from first packet of new connection and add connection mark. Next rule will no longer check IP header for each packet, it will just compare connection marks resulting in lower CPU consumption. Additionally passthrough=no was added that helps to reduce CPU consumption even more.